Using CLI to Query pcap Data
You can search or filter the pcap data with one of the following command line tools:
Fixed filter option
Query filter option (Metron Stellar)
Both tools are executed by ${metron_home}/bin/pcap_query.sh
[fixed|query]
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
Because the output from a query can be very large, we recommend appending
|
You can filter or query for the following fields in the pcap data:
ip_scr_addr
ip_dst_addr
ip_src_port
ip_dst_port
protocol
timestamp
Fixed filter options:
-bop,--base_output_path <arg> Query result output path. Default is
'/tmp'.
-bp,--base_path <arg> Base PCAP data path. Default is
'/apps/metron/pcap'.
-da,--ip_dst_addr <arg> Destination IP address.
-df,--date_format <arg> Date format to use for parsing start_time
and end_time. Default is to use time in
millis since the epoch.
-dp,--ip_dst_port <arg> Destination port.
-et,--end_time <arg> Packet end time range. Default is current
system time.
-nr,--num_reducers <arg> The number of reducers to use. Default
is 10.
-h,--help Display help.
-ir,--include_reverse Indicates if filter should check swapped
src/dest addresses and IPs.
-p,--protocol <arg> IP Protocol.
-rpf Maximum number of records per file.
-sa,--ip_src_addr <arg> Source IP address.
-sp,--ip_src_port <arg> Source port.
-st,--start_time <arg> (required) Packet start time range.
Fixed filter examples:
$METRON_HOME/bin/pcap_query.sh fixed \
-st "20160617" \
-df "yyyyMMdd" \
-sa 192.168.138.158 \
-da 123.456.789.012 \
-sp 49197 \
-dp 80 \
-p 6
-rpf 500Query filter options:
-bop,--base_output_path <arg> Query result output path. Default is
'/tmp'.
-bp,--base_path <arg> Base PCAP data path. Default is
'/apps/metron/pcap'.
-df,--date_format <arg> Date format to use for parsing start_time
and end_time. Default is to use time in
millis since the epoch.
-et,--end_time <arg> Packet end time range. Default is current
system time.
-nr,--num_reducers <arg> The number of reducers to use. Default
is 10.
-h,--help Display help.
-q,--query <arg> Query string to use as a filter.
-rpf Maximum number of records per file.
-st,--start_time <arg> (required) Packet start time range.Query filter examples:
$METRON_HOME/bin/pcap_query.sh query \
-st "20160617" \
-df "yyyyMMdd" \
--query "ip_src_addr == '192.168.138.158' and ip_src_port == '49197' \
and ip_dst_addr == '123.456.789.012' and ip_dst_port == '80' \
and protocol == '6'"
-rpf 500$METRON_HOME/bin/pcap_query.sh query \
-st "1466136000000" \
--query "IN_SUBNET(ip_src_addr, '192.168.0.0/24') and ip_src_port == '49197' \
and ip_dst_addr == '123.456.789.012' and ip_dst_port == '80' \
and protocol == '6'"
-rpf 500# subnet function checks IP is in specified subnet
--query "IN_SUBNET(ip_src_addr, '192.168.0.0/24') \
and ip_src_port == '49197' \
and ip_dst_addr == '123.456.789.012' \
and ip_dst_port == '80' \
and protocol == '6'"# range queries on ports
--query "ip_src_port <= 50000 and ip_dst_port >= 30000"# range queries with conditionals and parens
--query "(ip_src_port < 50000 and ip_src_port > 40000) \
or (ip_src_port < 20000 and ip_src_port > 10000)"# in/not in list of values
--query "ip_src_port < 10000 and ip_dst_port in ['54056', '54057', '8080']"